Home

USB Exploit Affects Nine Years of Intel Processors

Uh-oh. More bad news about Intel's Management Engine, the chipmaker's computer within a computer that runs on its own CPU and operating system. Sysadmins use it to remotely control and configure networked machines and it's been on about every CPU Intel has released since 2008.

Intel thinks it's the greatest thing since sliced bread. Others, such as the Electronic Frontier Foundation, say it's a security risk, since ME runs at a low level, beneath and unseen by whatever operating the machine is running, and has control of the system's hardware.

Guess what? EFF was right several times over.

The first problem surfaced back in May when a vulnerability was discovered in AMT, a remote management toolkit that runs on ME. That vulnerability handed control of a machine to anyone who merely attempted a login and left the password field blank. Because this could be accomplished from across a network, or through the internet on public facing machines, this sent admins scrambling to disable AMT.

Intel fixed the problem with a firmware patch, but now another vulnerability has reached the light of day.

Back in September, researchers with the security firm Positive Technologies announced they'd discovered a way to exploit ME that offers what the company called "God-mode." It "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake," they said, and promised to unveil details of the flaw at Black Hat Europe in December.

Last week Positive Technologies released enough additional information about the exploit to worry any sysadmin who might be running an affected machine. Again, that's just about any Intel machine built in the last nine years or so. Details still won't be coming until the Black Hat conference, but we've now been told that unsigned code can be executed through USB, by taking advantage of ME's use of Joint Test Action Group (JTAG) debugging ports -- which are accessible through USB.

Gives a whole new meaning to plug 'n' play, eh?

The good news is that direct access is required to take advantage of this exploit. The bad news? Determined black hats can find a way to gain direct access. Don't forget that the cybersecurity weapon Stuxnet is believed to have been deployed against Iran's nuclear program by way of USB access.

At this point, smart sysadmins might be considering just disabling ME until Intel gets the problem solved. After all, in the overall scheme of things, remote control of a box isn't all that important if it compromises security. There's just one problem. Unlike AMT, which could be disabled, shutting down ME pretty much can't be done -- as Positive Technologies pointed out in a blog posted in August:

"The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards. The main method used by enthusiasts trying to disable ME is to remove everything 'redundant' from the image while maintaining the computer's operability. But this is not so easy, because if built-in PCH code does not find ME modules in the flash memory or detects that they are damaged, the system will not start."

An open source project, me_cleaner, has been working for several years on disabling ME just enough to allow systems to boot, but with results that are less than ideal according to Positive Technologies.

"But even if the system starts, the joy is short-lived—after about 30 minutes, the system may shut down automatically. The reason is that, after some failures, ME enters Recovery Mode, in which it can operate only for a certain period of time."

In other words, short of gluing shut all USB ports, there's not much admins can do but wait for Intel to issue a fix.